Apple security updates (August, 2003 and earlier)

This document outlines security updates for Apple products.
Note: For the protection of its customers, Apple does not
disclose, discuss or confirm security issues until a full investigation
has occurred and any necessary patches or releases are available.

Important: This document describes updates and releases from
August 2003 (2003-08) and earlier, such as Mac OS X 10.1, 10.2,
10.2.6 and Security Update 2003-08-14. For information about newer
security updates, see one of these documents:

This document outlines security updates for Apple products.
Note: For the protection of its customers, Apple does not
disclose, discuss or confirm security issues until a full investigation
has occurred and any necessary patches or releases are available.

Important: This document describes updates and releases from
August 2003 (2003-08) and earlier, such as Mac OS X 10.1, 10.2,
10.2.6 and Security Update 2003-08-14. For information about newer
security updates, see one of these documents:

Security updates are listed below according to the software release in which they first appeared. Where possible, CVE IDs (http://cve.mitre.org/cve/) are used to reference the vulnerabilities for further information.

fb_realpath(): Addresses CAN-2003-0466, a potential vulnerability in the fb_realpath() function, specifically in the FTPServer and Libc projects, which could allow a local or remote user to gain unauthorized root privileges to a system.

Security Update 2003-07-23

Fixes CAN-2003-0601 to improve the security of your system by assigning a "disabled" password to a new account created by Workgroup Manager until that account has been saved for the first time. This ensures the new account cannot be accessed by an unauthorized individual.

Security Update 2003-07-14

Screen Effects Password: Fixes CAN-2003-0518, a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user. Credit to Denis Ahrens for reporting this issue.

Security Update 2003-06-12 (Mac OS X Server only)

Apache 2.0: Fixes CAN-2003-0245 by updating Apache 2.0.45 to 2.0.46 to address a security hole in the mod_dav module that could be exploited remotely causing an Apache Web server process to crash. Apache 1.3 is unaffected and is the primary web server on Mac OS X Server. Apache 2.0 is installed with Mac OS X Server, but off by default.

dsimportexport: Fixes CAN-2003-0420 in which a logged-in user could potentially view the name and password of the account running the dsimportexport tool

Security Update 2003-06-09 (version 2.0)

AFP: Fixes CAN-2003-0379. When Apple File Service (AFP Server) in Mac OS X Server is serving files on a UFS or re-shared NFS volume, there is a potential vulnerability that can allow a remote user to overwrite arbitrary files.

Directory Services: FixesCAN-2003-0378. When logging in via Kerberos on an LDAPv3 server, the account password may be sent in cleartext format when Login Window falls back to trying a simple bind on the server.

IPSec: Fixes CAN-2003-0242, where incoming security policies that match by port would fail to match the correct traffic.

Mac OS X 10.2.5

Apache 2.0: Fixes CAN-2003-0132, a denial of service vulnerability in Apache 2.0 versions through 2.0.44. Apache 2.0 is distributed only with Mac OS X Server, and is not enabled by default.

Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege Escalation and DoS Attack. DirectoryServices is part of the Mac OS X and Mac OS X Server information services subsystem. It is launched at startup, setuid root and installed by default. It is possible for a local attacker to modify an environment variable that would allow the execution of arbitrary commands as root. Credit to Dave G. from @stake, Inc. for the discovery of this vulnerability.

File Sharing/Service: Fixes CAN-2003-0198 where the contents of the write-only DropBox folder can be revealed. When enabled, Personal File Sharing on Mac OS X or Apple File Service on Mac OS X Server, a "DropBox" folder is available by default to allow people to deposit files. This update no longer allows the permissions of the "DropBox" folder to be changed by a guest.

Samba: Fixes CAN-2003-0201 which could allow an anonymous user to gain remote root access due to a buffer overflow. The built-in Windows file sharing is based on the open source technology called Samba and is off by default in Mac OS X.

sendmail: Fixes CAN-2003-0161 where address parsing code in sendmail does not adequately check the length of email addresses. Only the patch from the sendmail team is applied to the currently-shipping version of sendmail in Mac OS X and Mac OS X Server.

QuickTime 6.1 for Windows

Fixes CAN-2003-0168, a potential vulnerability in QuickTime Player for Windows that could allow a remote attacker to compromise a target system. This exploit is only possible if the attacker can convince a user to load a specially crafted QuickTime URL. Upon successful exploitation, arbitrary code can be executed under the privileges of the QuickTime user.

Security Update 2003-03-24

Samba: Fixes CAN-2003-0085 and CAN-2003-0086 which could allow unauthorized remote access to the host system. The built-in Windows file sharing is based on the open source technology called Samba and is off by default in Mac OS X. This update only applies the security fixes to the currently-shipping 2.2.3 version of Samba on Mac OS X 10.2.4, and the Samba version is otherwise unchanged.

OpenSSL: Fixes CAN-2003-0147, to address an issue in which RSA private keys can be compromised when communicating over LANs, Internet2/Abilene, and interprocess communication on local machine.

Security Update 2003-03-03

Sendmail: Fixes CAN-2002-1337 in which a remote attacker could gain elevated privileges on affected hosts. Sendmail is not enabled by default on Mac OS X, so only those systems which have explicitly enabled sendmail are vulnerable. All Mac OS X users, however, are encouraged to apply this update. The sendmail fix is available in Security Update 2003-03-03.

OpenSSL: Fixes CAN-2003-0078, in which it is theoretically possible for a third-party to extract the original plaintext of encrypted messages sent over a network. Security Update 2003-03-03 applies this fix for Mac OS X 10.2.4; customers of earlier Mac OS X versions may obtain the latest openssl version directly from the OpenSSL Web site: http://www.openssl.org/

Mac OS X 10.2.4 (client)

Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165.

AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password.

Classic: Fixes CAN-2003-0088, where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue.

Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318, an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/

Mac OS X 10.2.4 Server

QuickTime Streaming Server: Fixes CAN-2003-0050 QTSS Arbitrary command execution. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI can pass unvalidated input which could allow a remote attacker to execute arbitrary code on the server and to gain root privileges. Credit to Dave G. from @stake, Inc. for finding this vulnerability.

QuickTime Streaming Server: Fixes CAN-2003-0051 QTSS Physical path revelation. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI could be used to reveal the physical path upon which the Darwin/Quicktime Administration Servers are installed within. Credit to @stake, Inc. for finding this vulnerability.

QuickTime Streaming Server: Fixes CAN-2003-0052 QTSS Directory listings. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI could be used to reveal arbitrary directory listings due to the lack of user input validation within the application. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability.

QuickTime Streaming Server: Fixes CAN-2003-0053 QTSS Login credentials. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. A vulnerability in the handling of error messages from this CGI could be used in a cross-site scripting attack to gain valid login credentials. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability.

QuickTime Streaming Server: Fixes CAN-2003-0054 Arbitrary command execution when viewing QTSS logs. If an unauthenticated user of QuickTime Streaming Server makes a request to the streaming port, the request is then written to the log file. It is possible to craft the request such that arbitrary code can be executed when the logs are viewed by the system administrator via a browser. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability.

QuickTime Streaming Server: Fixes CAN-2003-0055 Buffer overflow in MP3 Broadcasting application. There is a buffer overflow in the stand-alone MP3Broadcaster application. An MP3 file which has a filename of over 256 bytes will cause a buffer overflow to occur. This could be used by local/ftp users to obtain elevated privileges. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability.

Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165 .

AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password.

Classic: Fixes CAN-2003-0088 , where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue.

Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318 , an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/

Integrated WebDAV Digest Authentication: The mod_digest_apple Apache module has been added to more easily enable digest authentication for an existing WebDAV realm. This eliminates the need to maintain a separate digest file containing the list of authorized users, passwords, and realms. mod_digest_apple works in coordination with Open Directory for user authentication. For further details, open the Help Viewer after installing Mac OS X Server version 10.2.4, select Mac OS X Server Help in the drawer, and search for "New: Enabling Integrated WebDAV Digest Authentication."

Mac OS X 10.2.3

fetchmail: Fixes CAN-2002-1174 and CAN-2002-1175 that could lead to a potential denial of service when using the fetchmail command-line tool. fetchmail is updated to version 6.1.2+IMAP-GSS+SSL+INET6

BIND: Updated to version 8.3.4 to fix potential vulnerabilities in the domain server and client library from Internet Software Consortium (ISC) that comes with Mac OS X and Mac OS X Server. BIND is not turned on by default on Mac OS X or Mac OS X Server.

CAN-2002-1266: Local User Privilege Elevation via Disk Image File It is possible for a local user to obtain elevated privileges on a system by opening a disk image file that was created on another computer with administrator level privileges.

CAN-2002-0830: This is FreeBSD-SA-02:36.nfs, a potential vulnerability in the Network File System (NFS) where a remote attacker could cause a denial of service.

IP Firewall: Under certain circumstances, the ipfw firewall built into Mac OS X may block packets that are explicitly allowed by the firewall rules. This does not meet the formal requirements of a security vulnerability and does not obtain a CVE ID.

CAN-2002-1267: CUPS Printing Web Administration is Remotely Accessible A malicious user could access the port to run the CUPS Printing Web Administration utility. It would then be possible to cause a denial of service to a printer.

CAN-2002-1268: User Privilege Elevation via Mounting an ISO 9600 CD Users could gain elevated privileges when logged into a system that has an ISO 9600 CD available to the file system.

CAN-2002-1269: NetInfo Manager Application could allow filesystem access A security vulnerability in the NetInfo Manager application could allow a malicious user to navigate the file system.

CAN-2002-1270: map_fd() Mach system call can allow a file to be read The map_fd() Mach system call can allow a caller to read a file for which they only have write access.

CAN-2002-1265: TCP issue in RPC The RPC-based libc implementation could fail to properly read data from TCP connections. As a result, a remote attacker could deny service to system daemons. Further information is available in CERT VU#266817 at: http://www.kb.cert.org/vuls/id/266817

CAN-2002-0839, CAN-2002-0840, CAN-2002-0843: Apache Apache is updated to version 1.3.27 to address a number of issues.

Mac OS X Server 10.2.2

Includes all security fixes noted in Mac OS X 10.2.2, plus CAN-2002-0661, CAN-2002-0654, CAN-2002-0654: Apache 2 Apache 2 is provided with Mac OS X Server, but not enabled by default. The version is updated to Apache 2.0.42 to address a number of issues.

StuffIt Expander Security Update 2002-10-15

Stuffit Expander: CAN-2002-0370. This update resolves a potential security vulnerability in versions 6.5.2 and earlier of Stuffit Expander. Further information is available at: http://www.kb.cert.org/vuls/id/383779 .

Security Update 2002-09-20

Terminal: This update fixes a potential vulnerability introduced in Terminal version 1.3 (v81) that shipped with Mac OS X 10.2 that could allow an attacker to remotely execute arbitrary commands on the user's system. Terminal is updated to version 1.3.1 (v82) with this Security Update.

Security Update 2002-08-23

This security update is for Mac OS X 10.2 and applies the fixes contained in Security Update 2002-08-02 which was for Mac OS X 10.1.5.

Security Update 2002-08-20

Secure Transport: This update enhances the certificate verification in OS X and is now in full compliance with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459).

Security Update 2002-08-02

This update addresses the following security vulnerabilities, which affect current shipping versions of Mac OS X Server. These services are turned off by default in Mac OS X client, however if these services are turned on then the client becomes vulnerable. Users of Mac OS X client should also install this update.

Software Update: Contains Software Update client 1.4.7 which adds cryptographic signature verification to the softwareupdate command line tool. This provides an additional means to perform software updates in a secure manner, along with the existing Software Update capability contained in System Preferences.

Security Update 7-12-02 (2002-07-12)

Software Update: Fixes CVE ID CAN-2002-0676 to increase the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages.

OpenSSH: Fixes two vulnerabilities, CAN-2002-0639 and CAN-2002-0640, where a remote intruder may be able to execute arbitrary code on the local system. Further details are available from: http://www.cert.org/advisories/CA-2002-18.html

Mac OS X 10.1.5

sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may allow local users to gain root privileges via special characters in the -p (prompt) argument.

sendmail - Fixes CVE-2001-0653, where an input validation error exists in Sendmail's debugging functionality which could lead to a system compromise.

Internet Explorer 5.1 Security Update (2002-04)

This addresses a vulnerability that could allow an attacker to take over your computer. Microsoft has since discontinued support and development on Internet Explorer for Mac, please consider upgrading to Safari instead.

PHP - updated to version 4.1.2 to address the vulnerability CAN-2002-0081, which could allow an intruder to execute arbitrary code with the privileges of the web server. Further details at: http://www.cert.org/advisories/CA-2002-05.html

sort - Fixes the vulnerability described in CERT Vulnerability Note VU#417216 (http://www.kb.cert.org/vuls/id/417216) where an intruder may be able to block the operation of system administration programs by crashing the sort utility.

system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard.

Apache - Fixed the potential vulnerability where .htaccess files might be visible to web browsers if created on HFS+ volumes. The files directive in the http.conf file was modified to block from visibility to web browsers all files whose names begin with .ht, regardless of case.